Reference no: EM132572924 , Length: 6 pages
Discussion
This week's discussion will focus on the Win32 API that is discussed in more depth in Chapter 7. Each student will be assigned a Win32 function to research on the MSDN library and share their findings. Explain the functions usage, return type, parameters, parameter data types, and a potential real-world scenario where malware may make use of this function. Which dll contains the function's definition? Also, provide a code snippet in either C or assembly as an example of the function's usage. If MSDN provides a code example, don't just blatantly copy the code. That tells me nothing other than you know how to copy and paste. Demonstrate that you understand how to read a function's documentation and usage. If you are super motivated, provide both high level source code and assembly code!
As an example, I attached a copy of my analysis on the CreateFile() API Function.
You can pick your own function to discuss from the below list. If there is another function you read about that's not on the list, then you can discuss that function instead. Lets try to avoid duplicates, but I know this is difficult to deconflict so no worries if we have a function collision. I do not need an exhaustive list of all the potential constants for each parameter. Nor do I want a copy and paste from the MSDN documentation. I can read the documentation myself, there is no need to reproduce it. Instead focus on what you think is important. If your analysis is longer than mine, then you did too much work! Typically, the first hit from a google search will bring you to the correct MSDN documentation.
Part 1 - Diffuse the Bomb
The part 1 lab exercise is based on material covered in chapters 4, 5, and 6.
There is a bomb on your system! Your reverse engineering skills are required to diffuse the bomb and save countless bits. Load bomb.exe into IDA to discover the keys to diffuse the bomb. You can attempt each stage as many times as needed. All stages must be completed in order. Do not tamper with the bomb's binary, as it may invoke an accidental discharge. Only use static code analysis via IDA to find the keys.
There are five stages to diffuse. For each stage, record the key and provide a summary of the code construct or algorithm used for the key. In other words, did the bomb test for the stage's key using an if-statement, switch, loop, or some other variation? You should include screenshots from your IDA display to show where you discovered the key.
If you are stuck at a stage and wish to attempt later stages, ask your chief binary explosive ordnance disposal officer (your instructor) for that stage's key. However, you will not receive credit for solving that stage.
There is a bonus stage unlocked after the bomb is diffused. You may wish to attempt that stage for bragging rights. There is also an optional secret stage that you must unlock before it can be attempted. Your instructor may grant extra credit for unlocking and solving the secret stage.
1. Stage 1.
a. Key:
b. Briefly describe how you found the key.
2. Stage 2.
a. Key:
b. Briefly describe how you found the key.
3. Stage 3.
There are several possible keys for this stage. For full credit, provide all possible keys.
a. Key:
b. Briefly describe how you found the key.
4. Stage 4.
a. Key:
b. Briefly describe how you found the key.
5. Stage 5.
a. Key:
b. Briefly describe how you found the key.
6. Bonus Stage.
a. Key:
b. Briefly describe how you found the key.
7. Which compiler do you suspect was used to build this bomb? What is your evidence?
Part 2 - Analyzing Windows Programs
1) What is a handle in the Windows OS?
2) NTFS Alternate data streams (ADS) are sometimes used to stage malware or hide information. Create an ADS in the Lab3 folder that stores the message "Norwich Forever". Show a screenshot of dir and dir /R to validate your ADS.
3) List and briefly describe the five Windows Registry Root Keys.
4) Describe what the following code segment is doing. Which function is being called? From what is provided, what are the values (or locations) of the function's parameters. Why would malware contain such code?
5) Analyze the following source code. What is the purpose of the WSAStartup() function? Explain what kind of socket is being created by examining the parameters.
6) What are COM objects, and how are they accessed?
7) Briefly explain the following code.
8) Briefly describe the Windows Native API. Which dll contains Native API functions? How can you easily recognize a Native API call when analyzing function calls?
For the following questions, analyze the sample Lab3.exe.
9) Document the basic static file information.
10) Using IDA, analyze the sample. Your analysis must contain considerable depth to explain the program's mechanics and convey comprehension of the concepts. Include some relevant screenshots from IDA that contain interesting information. Analysis of some of the malware's functionality is provided below for you as an example. The provided analysis will help you determine the program's overall intent. Your analysis should cover:
a. Persistence mechanisms (registry, services, functions used, etc).
b. Mutex information (name of mutex, purpose of mutex, functions used, etc).
c. Any thread information (functions used to create thread, thread StartAddress information, number of threads created, etc.)
d. Networking information (Domains, protocols, functions used, etc.).
e. Conclusions. What do you suppose is the malware's overall intent?How would you classify this malware (ransomware, worm, adware, logic bomb, etc)? Can you recommend a way to remove the malware's persistence (HINT: sc command-line program).
Attachment:- Discussion.rar